Re: Jiwa Financials - Reporting allows execution of arbitrary reports as SQL user with full permissions. Jun 02 2006 03:44AM
mikes jiwa com au
Secunia security advisory categorises it as "less critical" :

http://secunia.com/advisories/20342/

I'm not going to argue with experts - our categorisation of the risk

level stays as it is.

Original report (which has been edited) claimed it was a remote exploit

- this is false, and seems to have only been included in the report for

added sensationalism.

There is nothing sensational here.

The only vulnerability is that an authenticated user may be able to run

a Crystal Report which could possibly reveal sensitive information,

should they have the skills to construct such a report.

Only information at risk is the information contained within the Jiwa

database, nothing else - no other SQL database, no files on the

filesystem.

Bug # 4186 in our system addresses this report redirection

vulnerability.

As of 5pm, Thursday June 1st, 2006 a patch for this is available for customers and dealers from our website, www.jiwa.com.au.

Password encryption is a todo feature logged way before this was

reported. No promise was made. My exact words were :

"...I don't like to comment on un-released products, as changes are

sometimes withdrawn before release, which can result in disappointment.

However, I feel some information on where we are heading may do

something to at least partially reassure you that we are making changes

to the security within the product..."

I then went on to cover a number of topics, including password

encryption, and provided a URL to our bug tracking database for Robert

to see all we were doing in the software.

Does a company which does not care provide someone like Robert with a

URL to their internal bug tracking database ?

Robert, I strongly suggest you remain factual in your reports in

future. We will not tolerate vexatious complaints or threats (care for

me to quote some of your emails to me, here in a public forum ?).

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus